CVE-2026-2913

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2913
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2913.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2913
Downstream
Related
Published
2026-02-22T04:15:59.790Z
Modified
2026-03-04T12:13:52.566282Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vipssourcereadtomemory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recommended action to fix this issue. The confirmation of the bugfix mentions: "[T]he impact of this is negligible, since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itself)."

References

Affected packages

Git / github.com/libvips/libvips

Affected ranges

Type
GIT
Repo
https://github.com/libvips/libvips
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a56feecbe9ed66521d9647ec9fbcd2546eccd7ee

Affected versions

v7.*
v7.28.0
v7.30.0
v8.*
v8.0-beta
v8.1
v8.10.0
v8.10.0-beta1
v8.10.0-beta2
v8.10.0-rc1
v8.10.0-rc2
v8.10.1
v8.10.2
v8.10.3
v8.10.4
v8.10.5
v8.10.6
v8.10.6-beta
v8.10.6-beta2
v8.11
v8.11.0
v8.11.0-rc1
v8.11.1
v8.11.2
v8.11.3
v8.11.4
v8.12.0
v8.12.0-rc1
v8.12.1
v8.12.2
v8.13.0
v8.13.0-pre1
v8.13.0-rc1
v8.13.0-rc2
v8.13.1
v8.13.2
v8.13.3
v8.14.0
v8.14.0-rc1
v8.14.1
v8.14.2
v8.14.3
v8.14.4
v8.14.5
v8.15.0
v8.15.0-rc1
v8.15.0-rc2
v8.15.1
v8.15.2
v8.15.2a
v8.15.3
v8.15.4
v8.15.4-rc1
v8.15.5
v8.15.5-rc1
v8.16.0
v8.16.0-rc1
v8.16.0-rc2
v8.16.1
v8.17.0
v8.17.0-rc1
v8.17.0-test1
v8.17.0-test2
v8.17.0-test3
v8.17.0-test4
v8.17.1
v8.17.2
v8.17.3
v8.18.0
v8.18.0-alpha1
v8.18.0-alpha2
v8.18.0-rc1
v8.18.0-rc2
v8.18.0-rc3
v8.2.2
v8.2.3
v8.3.0
v8.4.2
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.5.6
v8.5.7
v8.5.8
v8.5.9
v8.6.0
v8.6.0-alpha1
v8.6.0-alpha2
v8.6.0-alpha3
v8.6.0-alpha4
v8.6.0-alpha5
v8.6.0-beta1
v8.6.0-beta2
v8.6.1
v8.6.2
v8.6.3
v8.6.4
v8.7.0
v8.7.0-alpha1
v8.7.0-alpha2
v8.7.0-rc1
v8.7.0-rc2
v8.7.0-rc3
v8.7.1
v8.7.2
v8.7.3
v8.7.4
v8.8.0
v8.8.0-rc1
v8.8.0-rc2
v8.8.0-rc3
v8.8.1
v8.8.2
v8.8.3
v8.9.0
v8.9.0-alpha1
v8.9.0-beta1
v8.9.0-beta2
v8.9.0-rc1
v8.9.0-rc2
v8.9.0-rc3
v8.9.0-rc4
v8.9.1
v8.9.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2913.json"
vanir_signatures 
[
    {
        "digest": {
            "length": 775.0,
            "function_hash": "81264585116533091837063788852293356148"
        },
        "id": "CVE-2026-2913-5a11eaa3",
        "source": "https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "libvips/iofuncs/source.c",
            "function": "vips_source_read_to_memory"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "length": 574.0,
            "function_hash": "279356752735390688259417901222994911966"
        },
        "id": "CVE-2026-2913-7ef49fc9",
        "source": "https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "libvips/iofuncs/source.c",
            "function": "vips_source_sniff_at_most"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "line_hashes": [
                "291448142552276877238239624487094499721",
                "277299268939537619061950602027585820324",
                "57889987333450730656555089459468282285",
                "186642217395441230341228737770801529885",
                "127923444120314266074828930554756515529",
                "31840049729374283735286227556657049616",
                "40021833950460327588074593176553216811",
                "277477501770652099506644695600975927493",
                "187344673546717005577755839519469378636",
                "97492122235911535734619043184465836729",
                "167413512332663410538673819788118789172",
                "299456589952915040149822499343749301177",
                "10724964163555143445057729214951748917",
                "91032309382667330543825027952811401080",
                "1409473997676061592705228740946968134"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2026-2913-86b7a855",
        "source": "https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "libvips/iofuncs/source.c"
        },
        "signature_type": "Line"
    }
]